Idiot firewall question
Posted by: ErikL on 04 October 2004
Are there any good reasons to keep using ZoneAlarm now that I have a router w/ hardware firewall?
Posted on: 04 October 2004 by Jim Lawson
I'd disagree and say no. What sort of hardware are you using ?
Posted on: 04 October 2004 by Toksik
Ludwig, keep using your software firewall in conjuction with your router's hardware firewall.your Zonealarm keeps YOU in control of programs installed on your PC and YOU control how they interact with the Web.
dennis
dennis
Posted on: 04 October 2004 by Jez Quigley
It's a moot point. Certainly the hardware firewall will stop inward bound malware, but as Toksik implies, not any outward bound. However if you have good anti spyware/trojan/virus installed and the hardware firewall, and dont do anything silly, it's difficult to see how malware could get on to your PC in the first place. So I no longer use Zone Alarm prefering to live without the added level of complexity.
Posted on: 04 October 2004 by Top Cat
One thing to bear in mind is whether your hardware firewall is actually configured properly. This depends on whether you have locked it down sufficiently to be able to rely upon it entirely. I have a firewall in my ADSL modem but configuring it is a black art and the manual gives NOTHING away, so I rely upon zonealarm for the PC and the in-built firewall in OSX for my Powerbook.
John
John
Posted on: 05 October 2004 by Mekon
I wish there was a 'block these ports' list. The nearest I can find is a list of ports used by trojans and a list of ports used by software. Comaparing the two, it seems many trojans use the same ports as software does, so blocking all the trojan port would screw things up. Is there not a list of ports that are only used for evil?
I am behind a NAT firewall at home, do I have to reinstall zone alarm? I have no idea how well it is configured; the interface is plain horrible. It's like playing Magnetron on the Spectrum with no instructions.
I am behind a NAT firewall at home, do I have to reinstall zone alarm? I have no idea how well it is configured; the interface is plain horrible. It's like playing Magnetron on the Spectrum with no instructions.
Posted on: 05 October 2004 by Andrew L. Weekes
I'd agree with Cliff, wireless makes a PC-resident firewall essential, as all Wireless AP's are inherently the wrong side of the WAN firewall.
The only bit of advice I'd offer that's different is to change Sophos AV to NOD32.
Andy.
The only bit of advice I'd offer that's different is to change Sophos AV to NOD32.
Andy.
Posted on: 05 October 2004 by matthewr
I agree with Bourne that it is an interesting question and that you should leave your software firewall enabled. Probably.
The best way to work out what to do is, of course, to understand the issues involved and then apply them to your individual situation. So, from the beginning:
-- A firewall is a device that allows you to control how data flows between a trusted computer/network (ie your PC and/or LAN) and an untrusted network (the Internet).
-- The data is sent over the wires in discrete chunks called packets each of which has a "to" address (i.e. the host) and "from" address (i.e. the client) in the form of IP addresses. A sequence of such packets forms a conversation between client and host called a session. So that you can have more than one session at once (and therefore do more than one thing at once) each session is assigned a separate logical number called a port.
-- A firewall (at least in the sense we are talking here) works by controlling the opening and closing of ports and the movement of packets through these ports. Hence, it's also sometimes known as a packet filter.
-- A router tranfers, or routes, packets from one network to the other. In doing this it takes packets that come from your PC (or PCs) and changes the "from" address so that they appear to come from the router (specifically the routers externally visible IP address which is the one provided by your ISP). When the reply comes back the router reverses this process and re-addresses the reply packets with your PC's actual IP address. This process is called Network Address Translation or NAT and although it's main purpose is to allow you to share a single external IP, it effectively makes your computer invisible to the network on the other side of the router and thus provides a form of security.
-- Some routers just do NAT and require that you know which ports to open and close and once open will allow traffic across that port regardless. This is not only difficult to administer it's a pretty basic form of security and if your router only does this I would say you definitely want a software firewall as well. THe software firewall in this sense can provide some aspects of security (described below) missing from such a basic router.
-- Other routers (I am tempted to say "most routers" as most of the ones designed for home use do this now) also provide a form of a more secure firewall behaviour called Stateful Packet Inspection or SPI. Here the router has (by default) all the ports closed and only opens them in response to connections from the trusted side of the network (ie your PC). When it gets such a request it will open the port and allow communication between your PC and the server, allowing packets to flow back and forth between you and the server as before. This process is dynamic and automatic and such firewalls are significantly more secure and much easier to adminster. Ports are only open when you request them and for the duration of your legitimate activity.
-- If your router does SPI (often it will be referred to as a "Natural Firewall") then the need for a software firewall is far less pressing. If you have otherwise good habits (AV scanning; sensible use of e-mail, P2P, IM; etc) then you can argue that is enough and you can save the complexity and (marginal) performance issues of a software firewall. (This is roughly Jez's point I believe).
-- You will have noticed, however, that inherent in how a router/firewall works is that fact that it trusts clients running on your PC. This is fine unless your PC gets infected by some kind of malware, in which case your router will allow it to open ports and communicate with the internet which is obviously a bad thing. What software firewalls provide over and above routers is that they monitor outgoing packets as well and they can alert you when something tries to communicate outwards and ask you if it's ok or not. This is called egress filtering and it's big advantage is that it captures the problem as it happens and not when you next run a virus scan. Hence, a software firewall can reduce the risk associated with certain types of exploit should they get past your defences. Some people argue this is essential on Windows PCs as there are so many pre-packaged spolits that allow the dumbest hacker access to very powerful rootkits (SubSeven, BackOrifice, etc).
-- The other issue with egress filtering is one of privacy. Even if your machine has not been compormised, it will have lots more software attempting to "phone home" (not least windows) as well as, potentially, various buts of adware and spyware. Again a sofware firewall can help by alerting you to what is doing what in real time. (These last two points are TOKSIK's point I beleive).
[Note there are other forms of SPI in specialised hardware firewalls that examine the packets in much more detail and allow protocol specific rules but you don't need that in a typical home network]
I'm not sure what Cliff and Andrew's point is with regards to wi-fi, firewalls and wardrivers. There are serious issues with wi-fi security (you really want at least WEP, preferably WPA-PSK encryption and should restrict the MAC addresses of alowable network clients) but I am not sure how a firewall helps in this respect. If someone comes into my flat my wi-fi network appears for conneciton despite having a software firewall and what stops them is the encryption. Perhaps they could clarify?
Matthew
Mekon said "I wish there was a 'block these ports' list"
SubSeven uses 31173 (ie. ELITE). Those whacky hackers eh?
[This message was edited by Matthew Robinson on Tue 05 October 2004 at 14:27.]
The best way to work out what to do is, of course, to understand the issues involved and then apply them to your individual situation. So, from the beginning:
-- A firewall is a device that allows you to control how data flows between a trusted computer/network (ie your PC and/or LAN) and an untrusted network (the Internet).
-- The data is sent over the wires in discrete chunks called packets each of which has a "to" address (i.e. the host) and "from" address (i.e. the client) in the form of IP addresses. A sequence of such packets forms a conversation between client and host called a session. So that you can have more than one session at once (and therefore do more than one thing at once) each session is assigned a separate logical number called a port.
-- A firewall (at least in the sense we are talking here) works by controlling the opening and closing of ports and the movement of packets through these ports. Hence, it's also sometimes known as a packet filter.
-- A router tranfers, or routes, packets from one network to the other. In doing this it takes packets that come from your PC (or PCs) and changes the "from" address so that they appear to come from the router (specifically the routers externally visible IP address which is the one provided by your ISP). When the reply comes back the router reverses this process and re-addresses the reply packets with your PC's actual IP address. This process is called Network Address Translation or NAT and although it's main purpose is to allow you to share a single external IP, it effectively makes your computer invisible to the network on the other side of the router and thus provides a form of security.
-- Some routers just do NAT and require that you know which ports to open and close and once open will allow traffic across that port regardless. This is not only difficult to administer it's a pretty basic form of security and if your router only does this I would say you definitely want a software firewall as well. THe software firewall in this sense can provide some aspects of security (described below) missing from such a basic router.
-- Other routers (I am tempted to say "most routers" as most of the ones designed for home use do this now) also provide a form of a more secure firewall behaviour called Stateful Packet Inspection or SPI. Here the router has (by default) all the ports closed and only opens them in response to connections from the trusted side of the network (ie your PC). When it gets such a request it will open the port and allow communication between your PC and the server, allowing packets to flow back and forth between you and the server as before. This process is dynamic and automatic and such firewalls are significantly more secure and much easier to adminster. Ports are only open when you request them and for the duration of your legitimate activity.
-- If your router does SPI (often it will be referred to as a "Natural Firewall") then the need for a software firewall is far less pressing. If you have otherwise good habits (AV scanning; sensible use of e-mail, P2P, IM; etc) then you can argue that is enough and you can save the complexity and (marginal) performance issues of a software firewall. (This is roughly Jez's point I believe).
-- You will have noticed, however, that inherent in how a router/firewall works is that fact that it trusts clients running on your PC. This is fine unless your PC gets infected by some kind of malware, in which case your router will allow it to open ports and communicate with the internet which is obviously a bad thing. What software firewalls provide over and above routers is that they monitor outgoing packets as well and they can alert you when something tries to communicate outwards and ask you if it's ok or not. This is called egress filtering and it's big advantage is that it captures the problem as it happens and not when you next run a virus scan. Hence, a software firewall can reduce the risk associated with certain types of exploit should they get past your defences. Some people argue this is essential on Windows PCs as there are so many pre-packaged spolits that allow the dumbest hacker access to very powerful rootkits (SubSeven, BackOrifice, etc).
-- The other issue with egress filtering is one of privacy. Even if your machine has not been compormised, it will have lots more software attempting to "phone home" (not least windows) as well as, potentially, various buts of adware and spyware. Again a sofware firewall can help by alerting you to what is doing what in real time. (These last two points are TOKSIK's point I beleive).
[Note there are other forms of SPI in specialised hardware firewalls that examine the packets in much more detail and allow protocol specific rules but you don't need that in a typical home network]
I'm not sure what Cliff and Andrew's point is with regards to wi-fi, firewalls and wardrivers. There are serious issues with wi-fi security (you really want at least WEP, preferably WPA-PSK encryption and should restrict the MAC addresses of alowable network clients) but I am not sure how a firewall helps in this respect. If someone comes into my flat my wi-fi network appears for conneciton despite having a software firewall and what stops them is the encryption. Perhaps they could clarify?
Matthew
Mekon said "I wish there was a 'block these ports' list"
SubSeven uses 31173 (ie. ELITE). Those whacky hackers eh?
[This message was edited by Matthew Robinson on Tue 05 October 2004 at 14:27.]
Posted on: 05 October 2004 by Paul Ranson
My router/ADSL modem has a firewall that only allows nominated ports to be opened outgoing. This cannot stop a bad guy 'phoning home' on (for instance) 80, but it does stop some post infection abuse. Not that I've ever been infected.
Paul
Paul
Posted on: 05 October 2004 by Mekon
Thanks Matthew, very informative. I have SPI and only use nice programs from nice people, so I've come to the conclusion that that a personal firewall is unnecessary. FWIW, I passed all the 'Shields Up!!' tests, which I guess anyone with a NAT firewall and SPI would, right?
Posted on: 05 October 2004 by Mekon
I've really got to get over my smiley aversion.
Posted on: 05 October 2004 by Martin Payne
I should have ADSL available before the end of the year, and I'm thinking of getting a combined ADSL modem / router for my rapidly growing home network (to be).
Everyone here at work seems to recommend the NetGear 834 (or 834G). Anyone any thoughts on these models? The have four ports with 10/100 LAN and 802.11g on the "g" model.
Since a couple of my machines have Gigabit network ports on the motherboards, I wondered if there is any point looking for something that might make use of this? It's only a home network, but if a jobs worth doing, surely it's worth over-doing?
Also, I have seen some nifty little stand-alone print server devices to make my printer accessible to any device on the network. With three PCs & a laptop I've already run out of ports, and that's without any future stuff.
Grateful for any advice.
cheers, Martin
E-mail:- MartinPayne (at) Dial.Pipex.com. Put "Naim" in the title.
Everyone here at work seems to recommend the NetGear 834 (or 834G). Anyone any thoughts on these models? The have four ports with 10/100 LAN and 802.11g on the "g" model.
Since a couple of my machines have Gigabit network ports on the motherboards, I wondered if there is any point looking for something that might make use of this? It's only a home network, but if a jobs worth doing, surely it's worth over-doing?
Also, I have seen some nifty little stand-alone print server devices to make my printer accessible to any device on the network. With three PCs & a laptop I've already run out of ports, and that's without any future stuff.
Grateful for any advice.
cheers, Martin
E-mail:- MartinPayne (at) Dial.Pipex.com. Put "Naim" in the title.
Posted on: 05 October 2004 by matthewr
What I am confused about is the situation where someone circumvents your router/firewall by connecting directly to your wireless LAN becuase you failed to secure it properly.
How does a software firewall such as Zone Alarm help here? They are in your LAN and can do all sorts of things via standard ports and protocols that your firewall will quite happily allow.
Or, to put it another way, if you had a very secure wired network and then stuck a publicly accessable ethernet port on the outside of your house so anyone could connect directly to the trusted side of your network I am not clear what good a software firewall would do to help.
Matthew
How does a software firewall such as Zone Alarm help here? They are in your LAN and can do all sorts of things via standard ports and protocols that your firewall will quite happily allow.
Or, to put it another way, if you had a very secure wired network and then stuck a publicly accessable ethernet port on the outside of your house so anyone could connect directly to the trusted side of your network I am not clear what good a software firewall would do to help.
Matthew
Posted on: 05 October 2004 by cunningplan
quote:
Describes the mood or content of the topic posted Tue 05 October 04 16:24
I should have ADSL available before the end of the year, and I'm thinking of getting a combined ADSL modem / router for my rapidly growing home network (to be).
Everyone here at work seems to recommend the NetGear 834 (or 834G). Anyone any thoughts on these models? The have four ports with 10/100 LAN and 802.11g on the "g" model.
Hi Martin
I'm no networking expert unlike some on the forum, but I have the Netgear DG834G model and it works perfectly well.
It has a very easy setup wizard which should have you up and running in no time. Their 24hr Technical support line is also very good.
Regards
Clive
Posted on: 05 October 2004 by cunningplan
Martin Payne said
I should have ADSL available before the end of the year, and I'm thinking of getting a combined ADSL modem / router for my rapidly growing home network (to be).
Everyone here at work seems to recommend the NetGear 834 (or 834G). Anyone any thoughts on these models? The have four ports with 10/100 LAN and 802.11g on the "g" model. [/QUOTE]
Hi Martin
I'm no networking expert unlike some on the forum, but I have the Netgear DG834G model and it works perfectly well.
It has a very easy setup wizard which should have you up and running in no time. Their 24hr Technical support line is also very good.
Regards
Clive[/QUOTE]
I should have ADSL available before the end of the year, and I'm thinking of getting a combined ADSL modem / router for my rapidly growing home network (to be).
Everyone here at work seems to recommend the NetGear 834 (or 834G). Anyone any thoughts on these models? The have four ports with 10/100 LAN and 802.11g on the "g" model. [/QUOTE]
Hi Martin
I'm no networking expert unlike some on the forum, but I have the Netgear DG834G model and it works perfectly well.
It has a very easy setup wizard which should have you up and running in no time. Their 24hr Technical support line is also very good.
Regards
Clive[/QUOTE]
Posted on: 05 October 2004 by ErikL
Well, I certainly don't behave like a muppet WRT internet behavior, my router is the Netgear WGR614 (v4), and I knew most of what Matthew spelled out, minus the bits about outfgoing traffic. I run Win2k, the Netgear has SPI, and I was using WEP in combination with MAC, but changed to WPA-PSK this minute. I see there's an option to specifiy "Default DMZ Server", and a "Remote Management" option (?). There's also the ability for blocking schedules, blocking sites, and blocking services, but the latter isn't like choosing any executable on my HDD.
From ZoneAlarm I know "spoolsv.exe" keeps trying to access the Internet and I keep denying it. Running AVG and AdAware I found nada.
Looking at the site for the router now I see it also offers tunneling via VPN, and DoS. I saw neither when I was logged into the router but will peek again.
[This message was edited by Ludwig on Tue 05 October 2004 at 17:48.]
From ZoneAlarm I know "spoolsv.exe" keeps trying to access the Internet and I keep denying it. Running AVG and AdAware I found nada.
Looking at the site for the router now I see it also offers tunneling via VPN, and DoS. I saw neither when I was logged into the router but will peek again.
[This message was edited by Ludwig on Tue 05 October 2004 at 17:48.]
Posted on: 05 October 2004 by matthewr
Posted on: 05 October 2004 by Mike Hughes
Matthew,
Just so you know that we don't bear grudges I'd just like to echo Cliff and others in saying what an excellent summary that was.
Mike
Just so you know that we don't bear grudges I'd just like to echo Cliff and others in saying what an excellent summary that was.
Mike
Posted on: 06 October 2004 by Mekon
There's a piece on ZDnet this morning reporting that MS are encouraging the use of addition further (personal?) firewalls because of the limits of limits of current firewalls.
So NAT plus Zonealarm then?
quote:
"Firewalls are like retarded routers. They just look at the ports, sources and destinations they like. If a train comes from Gare du Nord [Paris] to Waterloo [London] via Eurostar you allow it to enter the country because you trust it. That's what firewalls currently do. They don't check to see if al-Quaeda is riding inside."
Baumhardt gave the example of how many hackers use port 80 to enter a network because it is treated as trusted traffic. He added that it was also important to protect the network internally, not just at the perimeter.
So NAT plus Zonealarm then?
Posted on: 06 October 2004 by matthewr
He's implying the use of more sophisticated forms of SPI that not only drops packets that are not part of a known session between the correct endpoints, but also understands the protocols involved and can do even more rigourous context specific checking.
Such things are currently expensive (esp. when done in hardware) and way beyond the knowledge levels of most users and many sysadmins. People are already confused by firewalls and I'm not sure that making it more complicated will help.
On Edit: Having a quick look at the article he appears to be a) talking about corporate networks and b) trying to flog MS's ISA Server through the usual mixture of hysteria and misinformation favoured by those who work in sales for security related technology.
Matthew
PS In the world of analogies, Terrorism appears to have replaced Motoring.
Such things are currently expensive (esp. when done in hardware) and way beyond the knowledge levels of most users and many sysadmins. People are already confused by firewalls and I'm not sure that making it more complicated will help.
On Edit: Having a quick look at the article he appears to be a) talking about corporate networks and b) trying to flog MS's ISA Server through the usual mixture of hysteria and misinformation favoured by those who work in sales for security related technology.
Matthew
PS In the world of analogies, Terrorism appears to have replaced Motoring.
Posted on: 06 October 2004 by pingu
Ludwig said
"I see there's an option to specifiy "Default DMZ Server""
DON'T DO IT
This option effectively opens a load of ports direct to the PC you have specified [as the DMZ Host] onto the internet.
This is why [I guess] Cliff mentioned three port firewalls, where you can be demilitarised, rather than totally open. In the DMZ on these types of Firewalls you can still be protected by NAT and other precautions (eg VPN for inter-connection of your laptop to the host PC for instance) but have a higher state of security for things in the Militarised zone.
Pseudo DMZ on a two port router is rather like picking on one PC to stick directly onto the internet using a modem.
If you have to use a two port router, only open the ports you specifically want to open - for example PCAnywhere - but if you do open anything up you need to put protection on the target PC (eg Zone Alarm, Norton Internet Security or whatever).
cj
"I see there's an option to specifiy "Default DMZ Server""
DON'T DO IT
This option effectively opens a load of ports direct to the PC you have specified [as the DMZ Host] onto the internet.
This is why [I guess] Cliff mentioned three port firewalls, where you can be demilitarised, rather than totally open. In the DMZ on these types of Firewalls you can still be protected by NAT and other precautions (eg VPN for inter-connection of your laptop to the host PC for instance) but have a higher state of security for things in the Militarised zone.
Pseudo DMZ on a two port router is rather like picking on one PC to stick directly onto the internet using a modem.
If you have to use a two port router, only open the ports you specifically want to open - for example PCAnywhere - but if you do open anything up you need to put protection on the target PC (eg Zone Alarm, Norton Internet Security or whatever).
cj
Posted on: 06 October 2004 by pingu
Matthew said
"What I am confused about is the situation where someone circumvents your router/firewall by connecting directly to your wireless LAN becuase you failed to secure it properly."
That is another issue altogether.
If you agree that a firewall is needed to protect your intranet from an insecure network (the internet) then it follows that you should firewall all the insecure networks (modem connections, Wireless access points etc)
For example. If the Wardriver hacks your WEP and gets onto your LAN, he could a) use your internet access for free (not a worry with broadband, although you might not want him spamming to your mail provider (!)). He could then try to get into your PCs. One way would be via F&PS (which we have already seen done to death), and another would be via known exploits with (inter alia) IIS, Messenger etc.
I don't know ZOne Alarm very well, but I presume it provides more protection than the MS Operating System itself.
What do you use Matthew?
Personally I would go for a 3 port firewall with DMZ.
More Matthew "They are in your LAN and can do all sorts of things via standard ports and protocols that your firewall will quite happily allow."
Surely it depends on the firewall and what ports you leave open. Foe example Norton Internet Security challenges all incoming and outgoing connections on all ports (AFAIK). It then prompts you to confirm (for each one) whether to allow it or not, and it then remembers what you allowed. I guess it naturally gets less secure over time.
The Hardware Firewall with DMZ option (recommended by me and Cliff) is a better bet (although these are £500 +) as, inter alia, you have another layer of NAT hiding your PC.
[This message was edited by pingu on Wed 06 October 2004 at 12:44.]
"What I am confused about is the situation where someone circumvents your router/firewall by connecting directly to your wireless LAN becuase you failed to secure it properly."
That is another issue altogether.
If you agree that a firewall is needed to protect your intranet from an insecure network (the internet) then it follows that you should firewall all the insecure networks (modem connections, Wireless access points etc)
For example. If the Wardriver hacks your WEP and gets onto your LAN, he could a) use your internet access for free (not a worry with broadband, although you might not want him spamming to your mail provider (!)). He could then try to get into your PCs. One way would be via F&PS (which we have already seen done to death), and another would be via known exploits with (inter alia) IIS, Messenger etc.
I don't know ZOne Alarm very well, but I presume it provides more protection than the MS Operating System itself.
What do you use Matthew?
Personally I would go for a 3 port firewall with DMZ.
More Matthew "They are in your LAN and can do all sorts of things via standard ports and protocols that your firewall will quite happily allow."
Surely it depends on the firewall and what ports you leave open. Foe example Norton Internet Security challenges all incoming and outgoing connections on all ports (AFAIK). It then prompts you to confirm (for each one) whether to allow it or not, and it then remembers what you allowed. I guess it naturally gets less secure over time.
The Hardware Firewall with DMZ option (recommended by me and Cliff) is a better bet (although these are £500 +) as, inter alia, you have another layer of NAT hiding your PC.
[This message was edited by pingu on Wed 06 October 2004 at 12:44.]
Posted on: 06 October 2004 by John Sheridan
quote:
inter alia
Cliff, if you're going to post using different aliases to try and confuse Matthew, it would perhaps be best not to use such an identifying phrase in your postings.
Posted on: 06 October 2004 by pingu
You'll have to try harder than that John. Inter alia is just latin for amongst others, and any public schoolboy might use it, Matthew Robinson, inter alia, might use it in fact
cj not ccp
cj not ccp
Posted on: 06 October 2004 by Joe Petrik
quote:
Cliff, if you're going to post using different aliases to try and confuse Matthew, it would perhaps be best not to use such an identifying phrase in your postings.
I thought pingu's comment "Bring back Joel, and his dancing friend and the scouse git and then you could have some real arguments (!)" more or less revealed who's behind the keyboard, but I'm waiting for an "it's/its" slip up before making up my mind.
Joe
Posted on: 06 October 2004 by John Sheridan
quote:
Originally posted by pingu:
You'll have to try harder than that John. Inter alia is just latin for amongst others, and any public schoolboy might use it, Matthew Robinson, inter alia, might use it in fact
cj not ccp
I know what it means, but Cliff is the only person I know that ever makes frequent (some would say monotonous) use of it. Strange coincidence that your last post did likewise, no?